0

I have this php login script which contain three users (Root, Secretary and Accountant) which does perfectly.

But as u can see every account has its php tag to allow certain user to login, My aim is to use only one PHP tag

<?php ....?>

for both account,Example (the login must check if username or password is not correct he/she will be directed to the same login page and the message will be "insert correct username or passord" with red text color ) and Also I'w like to introduce PHP login session so that if user is not Loged in, he/she will be directed to login page(index.php),I want to avoid user who try to bypass the system.

Any help please, am just new in php

This the codes 

    <?php


      // Connect to server and select databse.
           $link=mysql_connect("localhost","root", "mcl")or die("cannot connect");
             mysql_select_db("mcl",$link)or die("cannot select DB");
              $sql="SELECT * FROM admin WHERE fname=('$_POST[fname]') and
                password=('$_POST[password]')";
           $result=mysql_query($sql);
         // Mysql_num_row is counting table row
         $count=mysql_num_rows($result);
     // If result matched $myusername and $mypassword, table row must be 1 row
    if($count>0){
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    header("location:dashboard.php");
      }
   ?>     



    <?php

           $fname="fname";
            $link=mysql_connect("localhost","root", "mcl")or die("cannot connect");
             mysql_select_db("mcl",$link)or die("cannot select DB");
          $sql="SELECT * FROM acco_untant  WHERE fname=('$_POST[fname]') and
          password=('$_POST[password]')";
          $result=mysql_query($sql);
        // Mysql_num_row is counting table row
            $count=mysql_num_rows($result);
      // If result matched $myusername and $mypassword, table row must be 1 row
        if($count>0){
      //Register $myusername, $mypassword and redirect to file "login_success.php"
    header("location:dash_accou.htm");
 }
      else {
       echo "Invalid username or password <a href=index.php><input name=Click here to reload  
       type=button              
       disabled value= <<<Reload>";
  }
  ?>    
 <?php
 // Connect to server and select databse.
   $link=mysql_connect("localhost","root", "mcl")or die("cannot connect");
   mysql_select_db("mcl",$link)or die("cannot select DB");
   $sql="SELECT * FROM secretary WHERE fname=('$_POST[fname]') and
   password=('$_POST[password]')";
    $result=mysql_query($sql);
     // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);
   // If result matched $myusername and $mypassword, table row must be 1 row
  if($count>0){
  // Register $myusername, $mypassword and redirect to file "login_success.php"

   header("location:dash_secretary.htm");
   }
 ?>
user3029499
  • 27
  • 5
  • 1
    Your script is vulnerable to SQL injections. You should take [measures to prevent it](http://stackoverflow.com/q/60174/53114). – Gumbo Dec 01 '13 at 08:21

2 Answers2

1

You can change the location in switch, according to user login ($_POST['fname']), if I understood right.

<?php
       session_start();
       // Connect to server and select databse.
       $link=mysql_connect("localhost","root", "mcl")or die("cannot connect");
       mysql_select_db("mcl",$link)or die("cannot select DB");
       $sql="SELECT * FROM admin WHERE fname=('$_POST[fname]') and
       password=('$_POST[password]')";
       $result=mysql_query($sql);
       // Mysql_num_row is counting table row
       $count=mysql_num_rows($result);
       // If result matched $myusername and $mypassword, table row must be 1 row
       if($count>0){
           $_SESSION['username'] = $_POST['fname'];
           switch($_POST['fname']) {
                case 'Root': header("Location: dashboard.php"); break;
                case 'Accountant': header("Location: dash_accou.htm"); break;
                case 'Secretary': header("Location: dash_secretary.htm"); break;
           }
           exit;
       }
       else {
            echo "Invalid username or password";
       }
?>

But I also suggest you 3 more things.

To perform server-side session authentification check inside you srcripts. Now I can "login" to your accounts and dashboards just by typing dash_secretary.htm or dashboard.php in browser url string. But if you will check session username existance and username inside dashboard.php, it will redirect unauthorized users back to the login page:

session_start();
if(!isset($_SESSION['username']) ||  $_SESSION['username'] != 'Root') {
     header('Location: index.php');
     exit;
}

To pass raw POST data inside SQL query, for prevention of SQL-injection.

To hash user passwords.

V G
  • 1,225
  • 9
  • 13
  • how can I set mysql injection in this script? please help – user3029499 Dec 01 '13 at 08:50
  • Where should I put this session_start(); if(!isset($_SESSION['username']) || $_SESSION['username'] != 'Root') { header('Location: index.php'); exit; } Am trying to put this in login page but wherever i insert correct password and username it takes be back to the same login page – user3029499 Dec 01 '13 at 09:56
  • In each page which can access authorized users only, dashboard.php and other dashes. – V G Dec 01 '13 at 13:37
-1

You should use PDO or mysqli instead, there are lots of posst on that already.

Also you should put all users in the same table and use a field to identify the type of the user or have a table with their privileges.

if you want to continue down the path you are going you can use UNION and add a user_type like this:

$query = "SELECT *,'admin' as 'user_type', FROM admin WHERE fname=('$_POST[fname]') 
          and password=('$_POST[password]')

          UNION 

          SELECT *,'acco_untant' as 'user_type', FROM acco_untant  WHERE fname=('$_POST[fname]') and
          password=('$_POST[password]'

          UNION

          SELECT *,'secretary' as 'user_type', FROM secretary WHERE fname=('$_POST[fname]') and
   password=('$_POST[password]')")

";
Josh Crozier
  • 233,099
  • 56
  • 391
  • 304
Lohardt
  • 1,057
  • 1
  • 12
  • 26